Re: Subject Alternative Name in TLS - does this work?

[Christian Kratzer <ck-lists@cksoft.de>]

Hi,

On Thu, 17 Oct 2013, lejeczek wrote:

> dear all
>
> I'm trying to set a seeminglysimple setup
> having a box with openldap I want it to use TLS on both internal and external 
> hostnames/IPs
>
> openldap was set up earlier and was/is working
> I generate TLS certificate with SAN
> everything seems working fine
> but
> when I ldapsearch on external fqdn/IP (which in the certificate is the 
> subjectAltName) search fails
> whereas it succeeds on internal fqdn(which is the hostname/ CN in the 
> certificate)
>
> error is: additional info: TLS error -8157:Certificate extension not found.
>
> is such a scenario even possible? having very same DN being served on more 
> than one name via TLS?


If this is what you are looking for I can confirm that I have a setup with ldaps:// and ldap:// with TLS that uses subjectAltNames in the certificates.

Relevant parts of the x509 cert with customer name obfuscated

We have this on one server:

        Subject: C=XX, ST=State, L=City, O=Company, CN=ldap1.example.org
   	X509v3 Subject Alternative Name:
		DNS:ldap1.example.org, DNS:ldap1, DNS:ldap-cluster.example.org, DNS:ldap-cluster

We have this on the other server:

        Subject: C=XX, ST=State, L=City, O=Company, CN=ldap2.example.org
   	X509v3 Subject Alternative Name:
		DNS:ldap2.example.org, DNS:ldap2, DNS:ldap-cluster.example.org, DNS:ldap-cluster


We can connect to ldap-cluster.example.org just fine independent of to which server the load balancer directs the tcp connection to.

This is using openldap-2.4.36

Greetings
Christian

--
Christian Kratzer                      CK Software GmbH
Email:   ck@cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer